DEVICE
PROTECTION
DATA
PROTECTION
Protect data when device
is lost or stolen
Accidental data leakage
SHARING
PROTECTION
Protect data is shared
Lost Laptops– ADDING TERROR TO PLAYBOOK
Over 12,000 laptops
lost in airports every
week
“It’s staggering to learn
that up to 600,000 laptops
are lost in U.S. airports
annually, many containing
sensitive information that
companies must account
for.” Larry Ponemon
Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008
Full volume
Encryption
• OS volumes
• Fixed data drives
(like a separate hard
drive or partition)
• Removable drives
Recovery
• Recovery Keys
• DRA
Used Disk Space
Pre-provisioning
• Encrypts used
disk space
• Pre-provisioning –
speeds up encryption
by turning on in
WinPE
• TPM must be
enabled and
owned
TPM 1.2 – Main spec in use. Random lockout thresholds and attempts.
TPM 2.0 – On by default. Consistent lock out.
Integrates into existing deployment tools
 Grace period for enactment
 Prompts for PIN or Password
 Escrows recovery information and TPM OwnerAuth

BitLocker Enactment
Encryption status reporting per volume on each computer
 View overall compliance for your organization
 View reports standalone in System Center Configuration Manager

Compliance
Reporting
Helpdesk recovery
 Self service recovery
 Retrieve TPM OwnerAuth to unlock TPM

Recovery






MBAM CLIENT FLOW:
INSTALL MBAM
CLIENT
APPLY MBAM POLICY
ENACTS BITLOCKER
REPORTS COMPLIANCE
Deployment
Management
Industry
Compat
Introduced scripts to
support imaging
Built cmdlets to import
BitLocker and TPM data
from AD
Added automatic TPM
unlock when BitLocker is
recovered
Consolidated and
simplified server logging
Added Windows 10
support
Added Encrypted HDD
Support
Supported International
Domain Names
Supported Win7 FIPS
Recovery Password
Included prompting for
PIN after imaging
Improved TPM
OwnerAuth Escrow
Customization
Added ability to direct
customers to SSP from
BitLocker recovery
screen
Allowed SSP branding
capability during setup
Increased supported
client languages to 23
Updated reports schema
to allow customization
using Report Builder
Process
•
•
Volume Support
Escrow/Reporting
Error Handling
Written in PowerShell; compatible with
PowerShell v2
Easy to use with MDT, SCCM, or
standalone
Invoke-MbamClientDeployment.ps1 – The main script that your
deployment system will call to configure MBAM and enable BitLocker.
Parameter
Description
-RecoveryServiceEndpoint
Required
MBAM recovery service endpoint
-StatusReportingServcieEndpoint
Optional
MBAM status reporting service endpoint
-EncryptionMethod
Optional
Encryption method (default: AES 128)
-EncryptAndEscrowDataVolume
Switch
Specify to encrypt data volume(s) and escrow data volume
recovery key(s)
-WaitForEncryptionToComplete
Switch
Specify to wait for the encryption to complete
-IgnoreEscrowOwnerAuthFailure
Switch
Specify to ignore TPM OwnerAuth escrow failure
-IgnoreEscrowRecoveryKeyFailure
Switch
Specify to ignore volume recovery key escrow failure
-IgnoreReportStatusFailure
Switch
Specify to ignore status reporting failure
Invoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint
https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService
.svc -StatusReportingServiceEndpoint
https://mbam.contoso.com/MBAMComplianceStatusService/StatusReportin
gService.svc -EncryptAndEscrowDataVolume -EncryptionMethod AES256 WaitForEncryptionToComplete
As Easy As 1…2…3!





MBAM agent works its magic

























rights
Read-ADRecoveryInformation -Server contoso.com -Credential $cred
-Recurse | Add-ComputerUser -FromComputerManagedBy| WriteMBAMRecoveryInformation -RecoveryServiceEndPoint https://mbamiis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Read-ADTpmInformation -Server contoso.com -Credential $cred Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv
ComputerToUserMapping.csv) | Write-MBAMTpmInformation RecoveryServiceEndPoint https://mbamiis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Advanced
Helpdesk
Enters
Recovery
Key ID
Helpdesk
User
domain and
user name
Enters
Recovery
Key ID
Self
Service
Logs into
domain
joined PC
Windows
Integrated
Auth
Provides
Recovery
Key ID
























User hits BitLocker
Recovery Screen
Recovers key
from SSP or
helpdesk portal
Key is marked as
disclosed
MBAM service
wakes up and
detects key was
disclosed
Checks if TPM is
locked out
Automatically
unlocks if MBAM
has TPM
OwnerAuth
Audited in client
event log and
MBAM audit
reports




MBAM 2.5 SP1 makes it even easier to deploy and
manage BitLocker on your devices
BRK3340 App-V 5.0 SP3: Advanced Connection Groups
Thurs 17:00
BRK3317 Creating a Seamless User Experience with Microsoft UE-V and
Windows 10
Fri 12:30
BRK3304 Managing Windows 10 Using Group Policy with In the Box,
Microsoft and 3rd Party Tools
Wed 9:00
BRK3144 Microsoft Office 365 ProPlus: Have It Your Way!
Fri 12:30
BRK3868 Fundamentals of Microsoft Azure RemoteApp Management and Tues 13:30
Administration
http://myignite.microsoft.com